CHAPTER
5
Security Architecture
and Design
This chapter presents the following: • Computer hardware architecture • Operating system architectures
• Trusted computing base and security mechanisms • Protection mechanisms within an operating system • Various security models
• Assurance evaluation criteria and ratings • Certification and accreditation processes • Attack types
Computer and information security covers many areas within an enterprise. Each area has security vulnerabilities and, hopefully, some corresponding countermeasures that raise the security level and provide better protection. Not understanding the different areas and se-curity levels of network devices, operating systems, hardware, protocols, and applications can cause security vulnerabilities that can affect the environment as a whole.
Two fundamental concepts in computer and information security are the security policy and security model. A security policy is a statement that outlines how entities ac-cess each other, what operations different entities can carry out, what level of protection is required for a system or software product, and what actions should be taken when these requirements are not met. The policy outlines the expectations that the hardware and software must meet to be considered in compliance. A security model outlines the requirements necessary to properly support and implement a certain security policy. If a security policy dictates that all users must be identified, authenticated, and authorized before accessing network resources, the security model might lay out an access control matrix that should be constructed so it fulfills the requirements of the security policy. If a security policy states that no one from a lower security level should be able to view or modify information at a higher security level, the supporting security model will outline the necessary logic and rules that need to be implemented to ensure that under no cir-cumstances can a lower-level subject access a higher-level object in an unauthorized
1
ch05.indd 1
manner. A security model provides a deeper explanation of how a computer operating system should be developed to properly support a specific security policy.
NOTE
NOTE Individual systems and devices can have their own security policies. These are not the organizational security policies that contain management’s directives. The systems’ security policies, and the models they use, should enforce the higher-level organizational security policy that is in place. A system policy dictates the level of security that should be provided by the individual device or operating system.
Computer security can be a slippery term because it means different things to
differ-ent people. Many aspects of a system can be secured, and security can happen at various levels and to varying degrees. As stated in previous chapters, information security con-sists of the following main attributes:
• Availability Prevention of loss of, or loss of access to, data and resources • Integrity Prevention of unauthorized modification of data and resources • Confidentiality Prevention of unauthorized disclosure of data and resources These main attributes branch off into more granular security attributes, such as authenticity, accountability, nonrepudiation, and dependability. How does a company know which of these it needs, to what degree they are needed, and whether the operat-ing systems and applications they use actually provide these features and protection? These questions get much more complex as one looks deeper into the questions and products themselves. Companies are not just concerned about e-mail messages being encrypted as they pass through the Internet. They are also concerned about the confi-dential data stored in their databases, the security of their web farms that are connected directly to the Internet, the integrity of data-entry values going into applications that process business-oriented information, internal users sharing trade secrets, external at-tackers bringing down servers and affecting productivity, viruses spreading, the internal consistency of data warehouses, and much more.
These issues not only affect productivity and profitability, but also raise legal and liability issues with regard to securing data. Companies, and the management that runs them, can be held accountable if any one of the many issues previously mentioned goes wrong. So it is, or at least it should be, very important for companies to know what security they need and how to be properly assured that the protection is actually being provided by the products they purchase.
Many of these security issues must be thought through before and during the design and architectural phase for a product. Security is best if it is designed and built into the foundation of operating systems and applications and not added as an afterthought. Once security is integrated as an important part of the design, it has to be engineered, implemented, tested, audited, evaluated, certified, and accredited. The security that a product provides must be rated on the availability, integrity, and confidentiality it claims to provide. Consumers then use these ratings to determine if specific products
ch05.indd 2
provide the level of security they require. This is a long road, with many entities in-volved with different responsibilities.
This chapter takes you from the steps that are necessary before actually developing an operating system to how these systems are evaluated and rated by governments and other agencies, and what these ratings actually mean. However, before we dive into these concepts, it is important to understand how the basic elements of a computer system work. These elements are the pieces that make up any computer’s architecture.
Computer Architecture
Put the processor over there by the plant, the memory by the window, and the secondary storage upstairs.
Computer architecture encompasses all of the parts of a computer system that are necessary for it to function, including the operating system, memory chips, logic cir-cuits, storage devices, input and output devices, security components, buses, and net-working components. The interrelationships and internal net-working of all of these parts can be quite complex, and making them work together in a secure fashion consists of complicated methods and mechanisms. Thank goodness for the smart people who figured this stuff out! Now it is up to us to learn how they did it and why.
The more you understand how these different pieces work and process data, the more you will understand how vulnerabilities actually occur and how countermeasures work to impede and hinder vulnerabilities from being introduced, found, and exploited.
NOTE
NOTE This chapter interweaves the hardware and operating system architectures and their components to show you how they work together.
The Central Processing Unit
The CPU seems complex. How does it work?
Response: Black magic. It uses eye of bat, tongue of goat, and some transistors.
The central processing unit (CPU) is the brain of a computer. In the most general description possible, it fetches instructions from memory and executes them. Although a CPU is a piece of hardware, it has its own instruction sets (provided by the operating system) that are necessary to carry out its tasks. Each CPU type has a specific architec-ture and set of instructions that it can carry out. The operating system must be designed to work within this CPU architecture. This is why one operating system may work on a Pentium processor but not on a SPARC processor.
NOTE
NOTE Scalable Processor Architecture (SPARC) is a type of Reduced Instruction Set Computing (RISC) chip developed by Sun Microsystems. SunOS, Solaris, and some Unix operating systems have been developed to work on this type of processor.
ch05.indd 3
The chips within the CPU cover only a couple of square inches, but contain over 40 million transistors. All operations within the CPU are performed by electrical signals at different voltages in different combinations, and each transistor holds this voltage, which represents 0s and 1s to the computer. The CPU contains registers that point to memory locations that contain the next instructions to be executed and that enable the CPU to keep status information of the data that need to be processed. A register is a temporary storage location. Accessing memory to get information on what instructions and data must be executed is a much slower process than accessing a register, which is a component of the CPU itself. So when the CPU is done with one task, it asks the reg-isters, “Okay, what do I have to do now?” And the registers hold the information that tells the CPU what its next job is.
The actual execution of the instructions is done by the arithmetic logic unit (ALU). The ALU performs mathematical functions and logical operations on data. The ALU can be thought of as the brain of the CPU, and the CPU as the brain of the computer.
Software holds its instructions and data in memory. When action needs to take place on the data, the instructions and data memory addresses are passed to the CPU registers, as shown in Figure 5-1. When the control unit indicates that the CPU can process them, the instructions and data memory addresses are passed to the CPU for actual processing, number crunching, and data manipulation. The results are sent back to the requesting process’s memory address.
An operating system and applications are really just made up of lines and lines of instructions. These instructions contain empty variables, which are populated at run time. The empty variables hold the actual data. There is a difference between instructions and data. The instructions have been written to carry out some type of functionality on the data. For example, let’s say you open a Calculator application. In reality, this pro-gram is just lines of instructions that allow you to carry out addition, subtraction, divi-sion, and other types of mathematical functions that will be executed on the data you provide. So, you type in 3 + 5. The 3 and the 5 are the data values. Once you click the = button, the Calculator program tells the CPU it needs to take the instructions on how to carry out addition and apply these instructions to the two data values 3 and 5. The ALU carries out this instruction and returns the result of 8 to the requesting program. This is
ch05.indd 4
when you see the value 8 in the Calculator’s field. To users, it seems as though the Cal-culator program is doing all of this on its own, but it is incapable of this. It depends upon the CPU and other components of the system to carry out this type of activity.
The control unit manages and synchronizes the system while different applications’ code and operating system instructions are being executed. The control unit is the com-ponent that fetches the code, interprets the code, and oversees the execution of the dif-ferent instruction sets. It determines what application instructions get processed and in what priority and time slice. It controls when instructions are executed, and this execu-tion enables applicaexecu-tions to process data. The control unit does not actually process the data. It is like the traffic cop telling traffic when to stop and start again, as illustrated in Figure 5-2. The CPU’s time has to be sliced up into individual units and assigned to processes. It is this time slicing that fools the applications and users into thinking the system is actually carrying out several different functions at one time. While the operat-ing system can carry out several different functions at one time (multitaskoperat-ing), in real-ity the CPU is executing the instructions in a serial fashion (one at a time).
A CPU has several different types of registers, containing information about the instruction set and data that must be executed. General registers are used to hold vari-ables and temporary results as the ALU works through its execution steps. The general registers are like the ALU’s scratch pad, which it uses while working. Special registers (dedicated registers) hold information such as the program counter, stack pointer, and program status word (PSW). The program counter register contains the memory address of the next instruction to be fetched. After that instruction is executed, the program counter is updated with the memory address of the next instruction set to be processed. It is similar to a boss and secretary relationship. The secretary keeps the boss on sched-ule and points her (the boss) to the necessary tasks she must carry out. This allows the
Figure 5-1 Instruction and data addresses are passed to the CPU for processing.
ch05.indd 5
boss to just concentrate on carrying out the tasks instead of having to worry about the “busy work” being done in the background.
Before we get into what a stack pointer is, we must first know what a stack is. Each process has its own stack, which is a memory segment the process can read from and write to. Let’s say you and I need to communicate through a stack. What I do is put all of the things I need to say to you in a stack of papers. The first paper tells you how you can respond to me when you need to, which is called a return pointer. The next paper has some instructions I need you to carry out. The next piece of paper has the data you must use when carrying out these instructions. So, I write down on individual pieces of paper all that I need you to do for me and stack them up. When I am done, I tell you to read my stack of papers. You take the first page off the stack and carry out the request. Then you take the second page and carry out that request. You continue to do this until you are at the bottom of the stack, which contains my return pointer. You look at this return pointer (which is my memory address) to know where to send the results of all the instructions I asked you to carry out. This is how processes communicate to other processes and to the CPU. One process stacks up its information that it needs to com-municate to the CPU. The CPU has to keep track of where it is in the stack, which is the purpose of the stack pointer. Once the first item on the stack is executed, then the stack pointer moves down to tell the CPU where the next piece of data is located.
NOTE
NOTE The traditional way of explaining how a stack works is to use the analogy of stacking up trays in a cafeteria. When people are done eating, they place their trays on a stack of other trays, and when the cafeteria employees need to get the trays for cleaning, they take the last tray placed on top and work down the stack. This analogy is used to explain how a stack works in the mode of “last in, first off.” The process being communicated to takes the last piece of data the requesting process laid down from the top of the stack and works down the stack.
Figure 5-2 The control unit works as a traffic cop, indicating when instructions are sent to the processor.
ch05.indd 6
The program status word (PSW) holds different condition bits. One of the bits indi-cates whether the CPU should be working in user mode (also called problem state) or privileged mode (also called kernel or supervisor mode). The crux of this chapter is to teach you how operating systems protect themselves. They need to protect themselves from applications, utilities, and user activities if they are going to provide a stable and safe environment. One of these protection mechanisms is implemented through the use of these different execution modes. When an application needs the CPU to carry out its instructions, the CPU works in user mode. This mode has a lower privilege level and many of the CPU’s instructions and functions are not available to the requesting ap-plication. The reason for the extra caution is that the developers of the operating system do not know who developed the application or how it is going to react, so the CPU works in a lower privileged mode when executing these types of instructions. By anal-ogy, if you are expecting visitors who are bringing their two-year-old boy, you move all of the breakables that someone under three feet can reach. No one is ever sure what a two-year-old toddler is going to do, but it usually has to do with breaking something. An operating system and CPU are not sure what applications are going to attempt, which is why this code is executed in a lower privilege.
If the PSW has a bit value that indicates the instructions to be executed should be carried out in privileged mode, this means a trusted process (an operating system pro-cess) made the request and can have access to the functionality that is not available in user mode. An example would be if the operating system needed to communicate with a peripheral device. This is a privileged activity that applications cannot carry out. When these types of instructions are passed to the CPU, the PSW is basically telling the CPU, “The process that made this request is an all right guy. We can trust him. Go ahead and carry out this task for him.”
Memory addresses of the instructions and data to be processed are held in registers until needed by the CPU. The CPU is connected to an address bus, which is a hardwired connection to the RAM chips in the system and the individual input/output (I/O) de-vices. Memory is cut up into sections that have individual addresses associated with them. I/O devices (CD-ROM, USB device, hard drive, floppy drive, and so on) are also allocated specific unique addresses. If the CPU needs to access some data, either from memory or from an I/O device, it sends down the address of where the needed data are located. The circuitry associated with the memory or I/O device recognizes the address the CPU sent down the address bus and instructs the memory or device to read the re-quested data and put it on the data bus. So the address bus is used by the CPU to indi-cate the location of the instructions to be processed, and the memory or I/O device responds by sending the data that reside at that memory location through the data bus. This process is illustrated in Figure 5-3.
Once the CPU is done with its computation, it needs to return the results to the requesting program’s memory. So, the CPU sends the requesting program’s address down the address bus and sends the new results down the data bus with the command write. These new data are then written to the requesting program’s memory space.
The address and data buses can be 8, 16, 32, or 64 bits wide. Most systems today use a 32-bit address bus, which means the system can have a large address space (232).
Sys-tems can also have a 32-bit data bus, which means the system can move data in parallel
ch05.indd 7
back and forth between memory, I/O devices, and the CPU. (A 32-bit data bus means the size of the chunks of data a CPU can request at a time is 32 bits.)
Multiprocessing
Some specialized computers have more than one CPU, for increased performance. An operating system must be developed specifically to be able to understand and work with more than one processor. If the computer system is configured to work in symmet-ric mode, this means the processors are handed work as needed as shown with CPU 1 and CPU 2 in Figure 5-4. It is like a load-balancing environment. When a process needs instructions to be executed, a scheduler determines which processor is ready for more work and sends it on. If a processor is going to be dedicated for a specific task or ap-plication, all other software would run on a different processor. In Figure 5-4, CPU 4 is dedicated to one application and its threads, while CPU 3 is used by the operating sys-tem. When a processor is dedicated as in this example, the system is working in asym-metric mode. This usually means the computer has some type of time-sensitive applica-tion that needs its own personal processor. So, the system scheduler will send instruc-tions from the time-sensitive application to CPU 4 and send all the other instrucinstruc-tions (from the operating system and other applications) to CPU 3. The differences are shown in Figure 5-4.
Figure 5-3
Address and data buses are separate and have specific functionality.
ch05.indd 8
Operating System Architecture
An operating system provides an environment for applications and users to work with-in. Every operating system is a complex beast, made up of various layers and modules of functionality. It has the responsibility of managing the hardware components, mem-ory management, I/O operations, file system, process management, and providing sys-tem services. We next look at each of these responsibilities in every operating syssys-tem. However, you must realize that whole books are written on just these individual topics, so the discussion here will only be topical.
Process Management
Well just look at all of these processes squirming around like little worms. We need some real organization here!
Operating systems, utilities, and applications in reality are just lines and lines of instructions. They are static lines of code that are brought to life when they are initial-ized and put into memory. Applications work as individual units, called processes, and the operating system has several different processes carrying out various types of func-tionality. A process is the set of instructions that is actually running. A program is not considered a process until it is loaded into memory and activated by the operating
Figure 5-4 Symmetric mode and asymmetric mode
ch05.indd 9
system. When a process is created, the operating system assigns resources to it, such as a memory segment, CPU time slot (interrupt), access to system application program-ming interfaces (APIs), and files to interact with. The collection of the instructions and the assigned resources is referred to as a process.
The operating system has many processes, which are used to provide and maintain the environment for applications and users to work within. Some examples of the func-tionality that individual processes provide include displaying data onscreen, spooling print jobs, and saving data to temporary files. Today’s operating systems provide multi-programming, which means that more than one program (or process) can be loaded into memory at the same time. This is what allows you to run your antivirus software, word processor, personal firewall, and e-mail client all at the same time. Each of these applications runs as one or more processes.
Processor Evolution
The following table provides the different characteristics of the various processors used over the years.
Name Date Transistors Microns Clock Speed Data Width MIPS 8080 1974 6000 6 2MHz 8 bits 0.64 80286 1982 134,000 1.5 6MHz 16 bits 1 Pentium 1993 3,100,000 0.8 60MHz 32 bits, 64-bit bus 100 Pentium 4 2000 42,000,000 0.18 1.5GHz 32 bits, 64-bit bus 1700
The following list defines the terms of measure used in the preceding table: • Microns Indicates the width of the smallest wire on the CPU chip
(a human hair is 100 microns thick).
• Clock speed Indicates the speed at which the processor can execute instructions. An internal clock is used to regulate the rate of execution, which is broken down into cycles. A system that runs at 100MHz means there are 100 million clock cycles per second. Processors working at 4GHz are now available, which means the CPU can execute 4 thousand million cycles per second.
• Datawidth Indicates the amount of data the ALU can accept and process; 64-bit bus refers to the size of the data bus. So, modern systems fetch 64 bits of data at a time, but the ALU works only on instruction sets in 32-bit sizes.
• MIPS Millions of instructions per second, which is a basic indication of how fast a CPU can work (but other factors are involved, such as clock speed).
ch05.indd 10
NOTE
NOTE Many resources state that today’s operating systems provide multiprogramming and multitasking. This is true, in that multiprogramming just means more than one application can be loaded into memory at the same time. But in reality, multiprogramming was replaced by multitasking, which means more than one application can be in memory at the same time and the operating system can deal with requests from these different applications simultaneously.
Earlier operating systems wasted their most precious resource—CPU time. For ex-ample, when a word processor would request to open a file on a floppy drive, the CPU would send the request to the floppy drive and then wait for the floppy drive to initial-ize, for the head to find the right track and sector, and finally for the floppy drive to send the data via the data bus to the CPU for processing. To avoid this waste of CPU time, multitasking was developed, which enabled more than one program to be loaded into memory at one time. Instead of sitting idle waiting for activity from one process, the CPU could execute instructions for other processes, thereby speeding up the neces-sary processing required for all the different processes.
As an analogy, if you (CPU) put bread in a toaster (process) and just stand there wait-ing for the toaster to finish its job, you are wastwait-ing time. On the other hand, if you put bread in the toaster and then, while it’s toasting, feed the dog, make coffee, and come up with a solution for world peace, you are being more productive and not wasting time.
Operating systems started out as cooperative and then evolved into preemptive multitasking. Cooperative multitasking, used in Windows 3.1 and early Macintosh sys-tems, required the processes to voluntarily release resources they were using. This was not necessarily a stable environment, because if a programmer did not write his code properly to release a resource when his application was done using it, the resource would be committed indefinitely to his application and thus be unavailable to other processes. With preemptive multitasking, used in Windows 9x, NT, 2000, XP, and in Unix systems, the operating system controls how long a process can use a resource. The system can suspend a process that is using the CPU and allow another process access to it through the use of time sharing. So, in operating systems that used cooperative multi-tasking, the processes had too much control over resource release, and when an appli-cation hung, it usually affected all the other appliappli-cations and sometimes the operating system itself. Operating systems that use preemptive multitasking run the show, and one application does not negatively affect another application as easily.
Different operating system types work within different process models. For exam-ple, Unix and Linux systems allow their processes to create new children processes, which is referred to as forking. Let’s say you are working within a shell of a Linux system. That shell is the command interpreter and an interface that enables the user to interact with the operating system. The shell runs as a process. When you type in a shell the command cat file1 file2 | grep stuff, you are telling the operating system to concatenate (cat) the two files and then search (grep) for the lines that have the value of stuff in them. When you press the ENTER key, the shell forks two children processes—one for the cat command and one for the grep command. Each of these children processes takes on the characteristics of the parent process, but has its own memory space, stack, and program counter values.
ch05.indd 11
A process can run in running state (CPU is executing its instructions and data), ready state (waiting to send instructions to the CPU), or blocked state (waiting for input data, such as keystrokes from a user). These different states are illustrated in Figure 5-5. When a process is blocked, it is waiting for some type of data to be sent to it. In the preceding example of typing the command cat file1 file2 | grep stuff, the grep process cannot actually carry out its functionality of searching until the first pro-cess (cat) is done combining the two files. The grep propro-cess will put itself to sleep and will be in the blocked state until the cat process is done and sends the grep process the input it needs to work with.
NOTE
NOTE Not all operating systems create and work in the process hierarchy like Unix and Linux systems. Windows systems do not fork new children processes, but instead create new threads that work within the same context of the parent process. This is deeper than what you need to know for the CISSP exam, but life is not just about this exam—right?
The operating system is responsible for creating new processes, assigning them re-sources, synchronizing their communication, and making sure nothing insecure is tak-ing place. The operattak-ing system keeps a process table, which has one entry per process. The table contains each individual process’s state, stack pointer, memory allocation, program counter, and status of open files in use. The reason the operating system docu-ments all of this status information is that the CPU needs all of it loaded into its regis-ters when it needs to interact with, for example, process 1. When process 1’s CPU time slice is over, all of the current status information on process 1 is stored in the process table so that when its time slice is open again, all of this status information can be put back into the CPU registers. So, when it is process 2’s time with the CPU, its status in-formation is transferred from the process table to the CPU registers, and transferred back again when the time slice is over. These steps are shown in Figure 5-6.
How does a process know when it can communicate with the CPU? This is taken care of by using interrupts. An operating system fools us, and applications, into think-ing it and the CPU are carrythink-ing out all tasks (operatthink-ing system, applications, memory, I/O, and user activities) simultaneously. In fact, this is impossible. Most CPUs can do only one thing at a time. So the system has hardware and software interrupts. When a
Figure 5-5 Processes enter and exit different states.
ch05.indd 12
device needs to communicate with the CPU, it has to wait for its interrupt to be called upon. The same thing happens in software. Each process has an interrupt assigned to it. It is like pulling a number at a customer service department in a store. You can’t go up to the counter until your number has been called out.
When a process is interacting with the CPU and an interrupt takes place (another process has requested access to the CPU), the current process’s information is stored in the process table, and the next process gets its time to interact with the CPU.
NOTE
NOTE Some critical processes cannot afford to have their functionality interrupted by another process. The operating system is responsible for setting the priorities for the different processes. When one process needs to interrupt another process, the operating system compares the priority levels of the two processes to determine if this interruption should be allowed.
There are two categories of interrupts: maskable and non-maskable. A maskable interrupt is assigned to an event that may not be overly important and the programmer can indicate that if that interrupt calls, the program does not stop what it is doing. This
Figure 5-6 A process table contains process status data that the CPU requires.
ch05.indd 13
means the interrupt is ignored. Non-maskable interrupts can never be overridden by an application because the event that has this type of interrupt assigned to it is critical. As an example, the reset button would be assigned a non-maskable interrupt. This means that when this button is pushed, the CPU carries out its instructions right away.
As an analogy, a boss can tell her administrative assistant she is not going to take any calls unless the Pope or Elvis phones. This means all other people will be ignored or masked (maskable interrupt), but the Pope and Elvis will not be ignored (non-maskable interrupt). This is probably a good policy. You should always accept calls from either the Pope or Elvis. Just remember not to use any bad words when talking to the Pope.
The watchdog timer is an example of a critical process that must always do its thing. This process will reset the system with a warm boot if the operating system hangs and cannot recover itself. For example, if there is a memory management problem and the operating system hangs, the watchdog timer will reset the system. This is one mecha-nism that ensures the software provides more of a stable environment.
Thread Management
What are all of these hair-like things hanging off of my processes? Response: Threads.
As described earlier, a process is a program in memory. More precisely, a process is the program’s instructions and all the resources assigned to the process by the operating system. It is just easier to group all of these instructions and resources together and control it as one entity, which is a process. When a process needs to send something to the CPU for processing, it generates a thread. A thread is made up of an individual in-struction set and the data that must be worked on by the CPU.
ch05.indd 14
Most applications have several different functions. Word processors can open files, save files, open other programs (such as an e-mail client), and print documents. Each one of these functions requires a thread (instruction set) to be dynamically generated. So, for example, if Tom chooses to print his document, the word processor process generates a thread that contains the instructions of how this document should be print-ed (font, colors, text, margins, and so on). If he chooses to send a document via e-mail through this program, another thread is created that tells the e-mail client to open and what file needs to be sent. Threads are dynamically created and destroyed as needed. Once Tom is done printing his document, the thread that was generated for this func-tionality is destroyed.
A program that has been developed to carry out several different tasks at one time (display, print, interact with other programs) is capable of running several different threads simultaneously. An application with this capability is referred to as a multi-threaded application.
NOTE
NOTE Each thread shares the same resources of the process that created it. So, all the threads created by a word processor work in the same memory space and have access to all the same files and system resources.
Process Scheduling
Scheduling and synchronizing various processes and their activities is part of process management, which is a responsibility of the operating system. Several components need to be considered during the development of an operating system, which will dic-tate how process scheduling will take place. A scheduling policy is created to govern how threads will interact with other threads. Different operating systems can use differ-ent schedulers, which are basically algorithms that control the timesharing of the CPU. As stated earlier, the different processes are assigned different priority levels (interrupts) that dictate which processes overrule other processes when CPU time allocation is re-quired. The operating system creates and deletes processes as needed, and oversees them changing state (ready, blocked, running). The operating system is also responsible for controlling deadlocks between processes attempting to use the same resources.
Definitions
The concepts of how computer operating systems work can be overwhelming at times. For test purposes, make sure you understand the following definitions:
• Multiprogramming An operating system can load more than one program in memory at one time.
• Multitasking An operating system can handle requests from several different processes loaded into memory at the same time.
• Multithreading An application has the ability to run multiple threads simultaneously.
• Multiprocessing The computer has more than one CPU.
ch05.indd 15
When a process makes a request for a resource (memory allocation, printer, second-ary storage devices, disk space, and so on), the operating system creates certain data structures and dedicates the necessary processes for the activity to be completed. Once the action takes place (a document is printed, a file is saved, or data are retrieved from the drive), the process needs to tear down these built structures and release the resourc-es back to the rresourc-esource pool so they are available for other procresourc-essresourc-es. If this doresourc-es not happen properly, a deadlock situation may occur or a computer may not have enough resources to process other requests (resulting in a denial of service). A deadlock situa-tion may occur when each process in a set of processes is waiting for an event to take place and that event can only be caused by another process in the set. Because each process is waiting for its required event, none of the processes will carry out their events—so the processes just sit there staring at each other.
One example of a deadlock situation is when process A commits resource 1 and needs to use resource 2 to properly complete its task, but process B has committed re-source 2 and needs rere-source 1 to finish its job. So both processes are in deadlock be-cause they do not have the resources they need to finish the function they are trying to carry out. This situation does not take place as often as it used to, as a result of better programming. Also, operating systems now have the intelligence to detect this activity and either release committed resources or control the allocation of resources so they are properly shared between processes.
Operating systems have different methods of dealing with resource requests and releases and solving deadlock situations. In some systems, if a requested resource is unavailable for a certain period of time, the operating system kills the process that is “holding on to” that resource. This action releases the resource from the process that had committed it and restarts the process so it is “clean” and available for use by other applications. Other operating systems might require a program to request all the re-sources it needs before it actually starts executing instructions, or require a program to release its currently committed resources before it may acquire more.
Process Activity
Process 1, go into your room and play with your toys. Process 2, go into your room and play with your toys. No intermingling and no fighting!
Computers can run different applications and processes at the same time. The pro-cesses have to share resources and play nice with each other to ensure a stable and safe computing environment that maintains its integrity. Some memory, data files, and vari-ables are actually shared between different processes. It is critical that more than one process does not attempt to read and write to these items at the same time. The operat-ing system is the master program that prevents this type of action from takoperat-ing place and ensures that programs do not corrupt each other’s data held in memory. The operating system works with the CPU to provide time slicing through the use of interrupts to ensure that processes are provided with adequate access to the CPU. This also makes certain that critical system functions are not negatively affected by rogue applications.
To protect processes from each other, operating systems can implement process isolation. Process isolation is necessary to ensure that processes do not “step on each other’s toes,” communicate in an insecure manner, or negatively affect each other’s productivity. Older operating systems did not enforce process isolation as well as
sys-ch05.indd 16
tems do today. This is why in earlier operating systems, when one of your programs hung, all other programs, and sometimes the operating system itself, hung. With pro-cess isolation, if one propro-cess hangs for some reason, it will not affect the other software running. (Process isolation is required for preemptive multitasking.) Different meth-ods can be used to carry out process isolation:
• Encapsulation of objects
• Time multiplexing of shared resources • Naming distinctions
• Virtual mapping
When a process is encapsulated, no other process understands or interacts with its internal programming code. When process A needs to communicate with process B, process A just needs to know how to communicate with process B’s interface. An inter-face defines how communication must take place between two processes. As an analo-gy, think back to how you had to communicate with your third-grade teacher. You had to call her Mrs. So-and-So, say please and thank you, and speak respectfully to get what-ever it was you needed. The same thing is true for software components that need to communicate with each other. They must know how to communicate properly with each other’s interfaces. The interfaces dictate the type of requests a process will accept and the type of output that will be provided. So, two processes can communicate with each other, even if they are written in different programming languages, as long as they know how to communicate with each other’s interface. Encapsulation provides data
hiding, which means that outside software components will not know how a process
works and will not be able to manipulate the process’s internal code. This is an integ-rity mechanism and enforces modulainteg-rity in programming code.
Time multiplexing was already discussed, although we did not use this term. Time multiplexing is a technology that allows processes to use the same resources. As stated earlier, a CPU must be shared between many processes. Although it seems as though all applications are running (executing their instructions) simultaneously, the operating system is splitting up time shares between each process. Multiplexing means there are several data sources and the individual data pieces are piped into one communication channel. In this instance, the operating system is coordinating the different requests from the different processes and piping them through the one shared CPU. An operat-ing system must provide proper time multiplexoperat-ing (resource sharoperat-ing) to ensure a stable working environment exists for software and users.
Naming distinctions just means that the different processes have their own name or identification value. Processes are usually assigned process identification (PID) values, which the operating system and other processes use to call upon them. If each process is isolated, that means each process has its own unique PID value.
Virtual mapping is different from the physical mapping of memory. An application is written such that basically it thinks it is the only program running on an operating system. When an application needs memory to work with, it tells the operating system’s memory manager how much memory it needs. The operating system carves out that amount of memory and assigns it to the requesting application. The application uses its own address scheme, which usually starts at 0, but in reality, the application does
ch05.indd 17
not work in the physical address space it thinks it is working in. Rather, it works in the address space the memory manager assigns to it. The physical memory is the RAM chips in the system. The operating system chops up this memory and assigns portions of it to the requesting processes. Once the process is assigned its own memory space, it can ad-dress this portion however it wishes, which is called virtual adad-dress mapping. Virtual address mapping allows the different processes to have their own memory space; the memory manager ensures no processes improperly interact with another process’s memory. This provides integrity and confidentiality.
Memory Management
To provide a safe and stable environment, an operating system must exercise proper memory management—one of its most important tasks. After all, everything happens in memory. It’s similar to how we depend on oxygen and gravity for our existence. If either slides out of balance, we’re in big trouble.
The goals of memory management are to: • Provide an abstraction level for programmers
• Maximize performance with the limited amount of memory available • Protect the operating system and applications loaded into memory
Abstraction means that the details of something are hidden. Developers of applica-tions do not know the amount or type of memory that will be available in each and every system their code will be loaded on. If a developer had to be concerned with this type of detail, then her application would be able to work only on the one system that maps to all of her specifications. To allow for portability, the memory manager hides all of the memory issues and just provides the application with a memory segment.
Every computer has a memory hierarchy. Certain small amounts of memory are very fast and expensive (registers,
cache), while larger amounts are slower and less expensive (RAM, hard drive). The portion of the operating system that keeps track of how these differ-ent types of memory are used is lovingly called the memory manager. Its jobs are to allocate and deallocate different mem-ory segments, enforce access control to ensure processes are interacting only with their own memory segments, and swap memory contents from RAM to the hard drive.
ch05.indd 18
The memory manager has five basic responsibilities:
Relocation
• Swap contents from RAM to the hard drive as needed (explained later in the “Virtual Memory” section of this chapter)
• Provide pointers for applications if their instructions and memory segment have been moved to a different location in main memory
Protection
• Limit processes to interact only with the memory segments assigned to them • Provide access control to memory segments
Sharing
• Use complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments
• Allow many users with different levels of access to interact with the same application running in one memory segment
Logical organization
• Allow for the sharing of specific software modules, such as dynamic link library (DLL) procedures
Physical organization
• Segment the physical memory space for application and operating system processes
NOTE
NOTE A dynamic link library (DLL) is a set of functions that applications can call upon to carry out different types of procedures. For example, the Windows operating system has a crypt32.dll that is used by the operating system and applications for cryptographic functions. Windows has a set of DLLs, which is just a library of functions to be called upon.
How can an operating system make sure a process only interacts with its memory segment? When a process creates a thread, because it needs some instructions and data processed, the CPU uses two registers. A base register contains the beginning address that was assigned to the process, and a limit register contains the ending address, as il-lustrated in Figure 5-7. The thread contains an address of where the instruction and data reside that need to be processed. The CPU compares this address to the base and limit registers to make sure the thread is not trying to access a memory segment outside of its bounds. So, the base register makes it impossible for a thread to reference a mem-ory address below its allocated memmem-ory segment, and the limit register makes it impos-sible for a thread to reference a memory address above this segment.
ch05.indd 19
Memory is also protected through the use of user and privileged modes of execu-tion, as previously mentioned, and covered in more detail later in the “CPU Modes and Protection Rings” section of this chapter.
Memory Types
The operating system instructions, applications, and data are held in memory, but so are the basic input/output system (BIOS), device controller instructions, and firmware. They do not all reside in the same memory location or even the same type of memory. The different types of memory, what they are used for, and how each is accessed can get a bit confusing because the CPU deals with several different types for different reasons.
Figure 5-7
Base and limit registers are used to contain a process in its own memory segment.
Memory Protection Issues
• Every address reference is validated for protection.
• Two or more processes can share access to the same segment with potentially different access rights.
• Different instruction and data types can be assigned different levels of protection.
• Processes cannot generate an unpermitted address or gain access to an unpermitted segment.
All of these issues make it more difficult for memory management to be car-ried out properly in a constantly changing and complex system. Any time more complexity is introduced, it usually means more vulnerabilities can be exploited.
ch05.indd 20
The following sections outline the different types of memory that can be used with-in computer systems.
Random Access Memory
Random access memory (RAM) is a type of temporary storage facility where data and program instructions can temporarily be held and altered. It is used for read/write ac-tivities by the operating system and applications. It is described as volatile because if the computer’s power supply is terminated, then all information within this type of memory is lost.
RAM is an integrated circuit made up of millions of transistors and capacitors. The capacitor is where the actual charge is stored, which represents a 1 or 0 to the system. The transistor acts like a gate or a switch. A capacitor that is storing a binary value of 1 has several electrons stored in it, which have a negative charge, whereas a capacitor that is storing a 0 value is empty. When the operating system writes over a 1 bit with a 0 bit, in reality it is just emptying out the electrons from that specific capacitor.
One problem is that these capacitors cannot keep their charge for long. Therefore, a memory controller has to “recharge” the values in the capacitors, which just means it continually reads and writes the same values to the capacitors. If the memory controller does not “refresh” the value of 1, the capacitor will start losing its electrons and become a 0 or a corrupted value. This explains how dynamic RAM (DRAM) works. The data be-ing held in the RAM memory cells must be continually and dynamically refreshed so your bits do not magically disappear. This activity of constantly refreshing takes time, which is why DRAM is slower than static RAM.
NOTE
NOTE When we are dealing with memory activities, we use a time metric of nanoseconds (ns), which is a billionth of a second. So if you look at your RAM chip and it states 70 ns, this means it takes 70 nanoseconds to read and refresh each memory cell.
Static RAM (SRAM) does not require this continuous-refreshing nonsense; it uses a different technology, by holding bits in its memory cells without the use of capacitors, but it does require more transistors than DRAM. Since SRAM does not need to be re-freshed, it is faster than DRAM, but because SRAM requires more transistors, it takes up more space on the RAM chip. Manufacturers cannot fit as many SRAM memory cells on a memory chip as they can DRAM memory cells, which is why SRAM is more expensive. So, DRAM is cheaper and slower, and SRAM is more expensive and faster. It always seems to go that way. SRAM has been used in cache, and DRAM is commonly used in RAM chips.
Hardware Segmentation
Systems of a higher trust level may need to implement hardware segmentation of the memory used by different processes. This means memory is separated physi-cally instead of just logiphysi-cally. This adds another layer of protection to ensure that a lower-privileged process does not access and modify a higher-level process’s memory space.
ch05.indd 21
Because life is not confusing enough, we have many other types of RAM. The main reason for the continual evolution of RAM types is that it directly affects the speed of the computer itself. Many people, mistakenly, think that just because you have a fast proces-sor, your computer will be fast. However, memory type and size and bus sizes are also critical components. Think of memory as pieces of paper used by the system to hold instructions. If the system had small pieces of papers (small amount of memory) to read and write from, it would spend most of its time looking for these pieces and lining them up properly. When a computer spends more time moving data from one small portion of memory to another than actually processing the data, it is referred to as thrashing. This causes the system to crawl in speed and your frustration level to increase.
The size of the data bus also makes a difference in system speed. You can think of a data bus as a highway that connects different portions of the computer. If a ton of data must go from memory to the CPU and can only travel over a four-lane highway, com-pared to a 64-lane highway, there will be delays in processing. So the processor, mem-ory type and amount, and bus speeds are critical components to system performance.
The following are additional types of RAM you should be familiar with:
• Synchronous DRAM (SDRAM) Synchronizes itself with the system’s CPU and synchronizes signal input and output on the RAM chip. It coordinates its activities with the CPU clock so the timing of the CPU and the timing of the memory activities are synchronized. This increases the speed of transmitting and executing data.
• Extended data out DRAM (EDO DRAM) Is faster than DRAM because DRAM can access only one block of data at a time, whereas EDO DRAM can capture the next block of data while the first block is being sent to the CPU for processing. It has a type of “look ahead” feature that speeds up memory access. • Burst EDO DRAM (BEDO DRAM) Works like (and builds upon) EDO
DRAM in that it can transmit data to the CPU as it carries out a read option, but it can send more data at once (burst). It reads and sends up to four memory addresses in a small number of clock cycles.
• Double data rate SDRAM (DDR SDRAM) Carries out read operations on the rising and falling cycles of a clock pulse. So instead of carrying out one operation per clock cycle, it carries out two and thus can deliver twice the throughput of SDRAM. Basically, it doubles the speed of memory activities, when compared to SDRAM, with a smaller number of clock cycles. Pretty groovy.
NOTE
NOTE These different RAM types require different controller chips to interface with them; therefore, the motherboards that these memory types are used on often are very specific in nature.
Well, that’s enough about RAM for now. Let’s look at other types of memory that are used in basically every computer in the world.
Read-Only Memory
Read-only memory (ROM) is a nonvolatile memory type, meaning that when a comput-er’s power is turned off, the data are still held within the memory chips. When data are
ch05.indd 22
inserted into ROM memory chips, the data cannot be altered. Individual ROM chips are manufactured with the stored program or routines designed into it. The software that is stored within ROM is called firmware.
Programmable read-only memory (PROM) is a form of ROM that can be modified after it has been manufactured. PROM can be programmed only one time because the voltage that is used to write bits into the memory cells actually burns out the fuses that connect the individual memory cells. The instructions are “burned into” PROM using a specialized PROM programmer device.
Erasable and programmable read-only memory (EPROM) can be erased, modified, and upgraded. EPROM holds data that can be electrically erased or written to. To erase the data on the memory chip, you need your handy-dandy ultraviolet (UV) light device that provides just the right level of energy. The EPROM chip has a quartz window, which is where you point the UV light. Although playing with UV light devices can be fun for the whole family, we have moved on to another type of ROM technology that does not require this type of activity.
To erase an EPROM chip, you must remove the chip from the computer and wave your magic UV wand, which erases all of the data on the chip—not just portions of it. So someone invented electrically erasable programmable read-only memory (EEPROM), and we all put our UV light wands away for good.
EEPROM is similar to EPROM, but its data storage can be erased and modified elec-trically by onboard programming circuitry and signals. This activity erases only one byte at a time, which is slow. And because we are an impatient society, yet another tech-nology was developed that is very similar, but works more quickly.
Flash memory is a special type of memory that is used in digital cameras, BIOS chips, memory cards for laptops, and video game consoles. It is a solid-state technolo-gy, meaning it does not have moving parts and is used more as a type of hard drive than memory.
Flash memory basically moves around different levels of voltages to indicate that a 1 or 0 must be held in a specific address. It acts as a ROM technology rather than a RAM technology. (For example, you do not lose pictures stored on your memory stick in your digital camera just because your camera loses power. RAM is volatile and ROM is non-volatile.) When Flash memory needs to be erased and turned back to its original state, a program initiates the internal circuits to apply an electric field. The erasing function takes place in blocks or on the entire chip instead of erasing one byte at a time.
Flash memory is used as a small disk drive in most implementations. Its benefits over a regular hard drive are that it is smaller, faster, and lighter. So let’s deploy Flash memory everywhere and replace our hard drives! Maybe one day. Today it is relatively expensive compared to regular hard drives.
References
• Unix/Linux Internals Course and Links www.softpanorama.org/Internals • Linux Knowledge Base and Tutorial www.linux-tutorial.info/modules
.php?name=Tutorial&pageid=117
• Fast, Smart RAM, Peter Wayner, Byte.com (June 1995) www.byte.com/ art/9506/sec10/art2.htm
ch05.indd 23
Cache Memory
I am going to need this later, so I will just stick it into cache for now.
Cache memory is a type of memory used for high-speed writing and reading activi-ties. When the system assumes (through its programmatic logic) that it will need to access specific information many times throughout its processing activities, it will store the information in cache memory so it is easily and quickly accessible. Data in cache can be accessed much more quickly than data stored in real memory. Therefore, any information needed by the CPU very quickly, and very often, is usually stored in cache memory, thereby improving the overall speed of the computer system.
An analogy is how the brain stores information it uses often. If one of Marge’s pri-mary functions at her job is to order parts, which requires telling vendors the company’s address, Marge stores this address information in a portion of her brain from which she can easily and quickly access it. This information is held in a type of cache. If Marge was asked to recall her third-grade teacher’s name, this information would not necessarily be held in cache memory, but in a more long-term storage facility within her noggin. The long-term storage within her brain is comparable to a system’s hard drive. It takes more time to track down and return information from a hard drive than from special-ized cache memory.
NOTE
NOTE Different motherboards have different types of cache. Level 1 (L1) is faster than Level 2 (L2), and L2 is faster than L3. Some processors and device controllers have cache memory built into them. L1 and L2 are usually built into the processors and the controllers themselves.
Memory Mapping
Okay, here is your memory, here is my memory, and here is Bob’s memory. No one use each other’s memory!
Because there are different types of memory holding different types of data, a com-puter system does not want to let every user, process, and application access all types of memory anytime they want to. Access to memory needs to be controlled to ensure data do not get corrupted and that sensitive information is not available to unauthorized processes. This type of control takes place through memory mapping and addressing.
The CPU is one of the most trusted components within a system, and can access memory directly. It uses physical addresses instead of pointers (logical addresses) to memory segments. The CPU has physical wires connecting it to the memory chips within the computer. Because physical wires connect the two types of components, physical addresses are used to represent the intersection between the wires and the transistors on a memory chip. Software does not use physical addresses; instead, it em-ploys logical memory addresses. Accessing memory indirectly provides an access con-trol layer between the software and the memory, which is done for protection and efficiency. Figure 5-8 illustrates how the CPU can access memory directly using physical addresses and how software must use memory indirectly through a memory mapper.
Let’s look at an analogy. You would like to talk to Mr. Marshall about possibly buy-ing some acreage in Iowa. You don’t know Mr. Marshall personally, and you do not want to give out your physical address and have him show up at your doorstep. Instead, you
ch05.indd 24
would like to use a more abstract and controlled way of communicating, so you give Mr. Marshall your phone number so you can talk to him about the land and determine whether you want to meet him in person. The same type of thing happens in computers. When a computer runs software, it does not want to expose itself unnecessarily to soft-ware written by good and bad programmers. Computers enable softsoft-ware to access mem-ory indirectly by using index tables and pointers, instead of giving them the right to access the memory directly. This is one way the computer system protects itself.
When a program attempts to access memory, its access rights are verified and then instructions and commands are carried out in a way to ensure that badly written code does not affect other programs or the system itself. Applications, and their processes, can only access the memory allocated to them, as shown in Figure 5-9. This type of memory architecture provides protection and efficiency.
The physical memory addresses that the CPU uses are called absolute addresses. The indexed memory addresses that software uses are referred to as logical addresses. And relative addresses are based on a known address with an offset value applied. As ex-plained previously, an application does not “know” it is sharing memory with other applications. When the program needs a memory segment to work with, it tells the memory manager how much memory it needs. The memory manager allocates this much physical memory, which could have the physical addressing of 34,000 to 39,000, for example. But the application is not written to call upon addresses in this numbering scheme. It is most likely developed to call upon addresses starting with 0 and extending to, let’s say, 5000. So the memory manager allows the application to use its own
ad-Figure 5-8 The CPU and applications access memory differently.
ch05.indd 25
dressing scheme—the logical addresses. When the application makes a call to one of these “phantom” logical addresses, the memory manager must map this address to the actual physical address. (It’s like two people using their own naming scheme. When Bob asks Diane for a ball, Diane knows he really means a stapler. Don’t judge Bob and Diane, it works for them.)
The mapping process is illustrated in Figure 5-10. When an application needs its instructions and data processed by the CPU, the physical addresses are loaded into the base and limit registers. When a thread indicates the instruction needs to be processed, it provides a logical address. The memory manager maps the logical address to the physical address, so the CPU knows where the instruction is located. The thread will actually be using a relative address, because the application uses the address space of 0 to 5000. When the thread indicates it needs the instruction at the memory address 3400 to be executed, the memory manager has to work from its mapping of logical ad-dress 0 to the actual physical adad-dress and then figure out the physical adad-dress for the logical address 3400. So the logical address 3400 is relative to the starting address 0.
As an analogy, if I know you use a different number system than everyone else in the world, and you tell me that you need 14 cookies, I would need to know where to start in your number scheme to figure out how many cookies to really give you. So, if you inform me that in “your world” your numbering scheme starts at 5, I would map 5 to 0 and know that the offset is a value of 5. So when you tell me you want 14 cookies (the relative number), I take the offset value into consideration. I know that you start at the value 5, so I map your logical address of 14 to the physical number of 8. (But I would
Figure 5-9 Applications, and the processes they use, access their own memory segments only.
ch05.indd 26
not give you 8 cookies, because you made me work too hard to figure all of this out. I will just eat them myself.)
So the application is working in its “own world” using its “own addresses,” and the memory manager has to map these values to reality, which means the absolute address values.
Memory Leaks
Oh great, the memory leaked all over me. Does someone have a mop?
When an application makes a request for a memory segment, it is allocated a spe-cific memory amount by the operating system. When the application is done with the memory, it is supposed to tell the operating system to release the memory so it is avail-able to other applications. This is only fair. But some applications are written poorly and do not indicate to the system that this memory is no longer in use. If this happens enough times, the operating system could become “starved” for memory, which would drastically affect the system’s performance.
Figure 5-10 The CPU uses absolute addresses, and software uses logical addresses.
ch05.indd 27
When a memory leak is identified in the hacker world, this opens the door to new Denial-of-Service (DoS) attacks. For example, when it was uncovered that a Unix ap-plication and a specific version of a Telnet protocol contained memory leaks, hackers amplified the problem. They continually sent requests to systems with these vulnerabil-ities. The systems would allocate resources for these network requests, which in turn would cause more and more memory to be allocated and not returned. Eventually the systems would run out of memory and freeze.
NOTE
NOTE Memory leaks can be caused by operating systems, applications, and software drivers.
Two main countermeasures can protect against memory leaks: developing better code that releases memory properly, and using a garbage collector. A garbage collector is software that runs an algorithm to identify unused committed memory and then tells the operating system to mark that memory as “available.” Different types of garbage col-lectors work with different operating systems, programming languages, and algorithms.
Virtual Memory
My RAM is overflowing! Can I use some of your hard drive space? Response: No, I don’t like you.
Secondary storage is considered nonvolatile storage media and includes such things as the computer’s hard drive, floppy disks, or CD-ROMs. When RAM and secondary storage are combined, the result is virtual memory. The system uses hard drive space to extend its RAM memory space. Swap space is the reserved hard drive space used to ex-tend RAM capabilities. Windows systems use the pagefile.sys file to reserve this space. When a system fills up its volatile memory space, it writes data from memory onto the hard drive. When a program requests access to this data, it is brought from the hard drive back into memory in specific units, called page frames. This process is called pag-ing. Accessing data kept in pages on the hard drive takes more time than accessing data kept in memory because physical disk read/write access must take place. Internal con-trol blocks, maintained by the operating system, keep track of what page frames are residing in RAM, and what is available “offline,” ready to be called into RAM for execu-tion or processing, if needed. The payoff is that it seems as though the system can hold an incredible amount of information and program instructions in memory, as shown in Figure 5-11.
A security issue with using virtual swap space is that when the system is shut down, or processes that were using the swap space are terminated, the pointers to the pages are reset to “available” even though the actual data written to disk is still physically there. These data could conceivably be compromised and captured. On a very secure operat-ing system, there are routines to wipe the swap spaces after a process is done with it, before it is used again. The routines should also erase this data before a system shut-down, at which time the operating system would no longer be able to maintain any control over what happens on the hard drive surface.
ch05.indd 28
NOTE
NOTE If a program, file, or data are encrypted and saved on the hard drive, it will be decrypted when used by the controlling program. While these unencrypted data are sitting in RAM, the system could write out the data to the swap space on the hard drive, in their unencrypted state. Attackers have figured out how to gain access to this space in unauthorized manners.
References
• “Introduction to Virtual Memory,” by Tuncay Basar, Kyung Kim, and Bill Lemley http://cs.gmu.edu/cne/itcore/virtualmemory/vmintro.html • Memory Hierarchy http://courses.ece.uiuc.edu/ece411/lectures/
LecturesSpring05/Lectures_2.07.pdf
• “Virtual Memory,” by Prof. Bruce Jacob, University of Maryland at College Park (2001) www.ee.umd.edu/~blj/papers/CS-chapter.pdf
• LabMice.net links to articles on memory leaks http://labmice.techtarget.com/ troubleshooting/memoryleaks.htm
Figure 5-11 Combining RAM and secondary storage to create virtual memory
ch05.indd 29